Question Presented

Whether a plaintiff who alleges only mental and emotional injuries can establish "actual damages" within the meaning of the civil remedies provision of the Privacy Act, 5 U.S.C. 552a(g)(4)(A).

Background

In FAA v. Cooper, the Supreme Court must decide whether the "actual damages" recoverable for willful and intentional violations of the Privacy Act include damages for mental and emotional distress. As a result of a joint taskforce involving the Department of Transportation ("DOT"), Federal Aviation Administration ("FAA"), and Social Security Administration ("SSA"), Respondent Stanmore Cooper's medical records were exchanged by FAA and SSA officials in violation of the Privacy Act. The investigators determined that Cooper withheld his HIV status from the FAA over an 8-year period, and as a result he lost his pilot's license and was indicted on three counts of making false statements to a government agency. Cooper filed suit against the government for willfully and intentionally violating the Privacy Act and causing him severe emotional distress by disclosing his HIV status.

The FAA requires a pilot to have a valid airman medical certificate to operate an aircraft. The medical certificate must be renewed periodically and requires the disclosure of any illnesses, disabilities, or surgeries the applicant has experienced during his lifetime, along with the identification of any medications the applicant is taking at the time of the application. Cooper received his private pilot certificate in 1964, and was diagnosed with HIV in 1985. In 1994, Cooper re-applied for a medical certificate without disclosing his HIV status or his antiretroviral medication regimen. In August 1995, Cooper's symptoms worsened, and he applied for long-term disability benefits with the SSA, revealing his HIV status to the agency. Cooper stated his belief at the time that his medical information would be held confidential. Cooper qualified for the benefits and received them from August 1995 to August 1996.

In 2002, the Office of the Inspector General for the Department Of Transportation ("DOT") and the Inspector General for the SSA collaborated to form "Operation Safe Pilot." During the course of Operation Safe Pilot, the DOT, SSA, and the FAA aggregated their previously segregated pools of individualized data. This process identified Cooper as a person of interest because he was certified to fly by the FAA, yet had received disability benefits from the SSA. Acting on this information, federal agents acquired Cooper's medical file from the FAA and his disability file from the SSA. The medical file revealed that Cooper never disclosed his HIV status to the FAA. The disability file contained information relating to Cooper's HIV status. Both sides acknowledge that the agents willfully and intentionally violated Cooper's rights under the Privacy Act by swapping his medical files without his consent or director approval.

In March 2007, Cooper filed a lawsuit in the Northern District of California against the FAA, SSA, and DOT. Cooper argued that the government agencies willfully or intentionally violated the Privacy Act of 1974, 5 U.S.C. § 552a, when they exchanged his FAA and SSA medical records. The Privacy Act restricts the ability of one federal agency to provide personal information to another federal agency without consent or approval. Specifically, the Act forbids federal agencies from disclosing any record which is contained in a system of records to any person or other federal agency unless the disclosure falls within specific exceptions outlined in the Act, or is approved in writing. Congress designed the law "to protect the privacy of individuals identified in information systems maintained by Federal agencies" by controlling "the collection, maintenance, use, and dissemination of information by such agencies."

Cooper demonstrated that the unlawful disclosure of his medical files caused him "to suffer humiliation, embarrassment, mental anguish, fear of social ostracism, and other severe emotional distress." The Privacy Act includes a private right of action that allows citizens to sue the federal government if an agency makes an unauthorized disclosure that has an "adverse effect" on the individual. In Doe v. Chao, 540 U.S. 614 (2004), the Supreme Court held that, even when a plaintiff shows that the Government violated the privacy act by disclosing his Social Security Number, an individual must prove some actual damages before he can receive the minimum $1,000 award.

The district court in this case held that the Government failed to uphold its obligations under the Privacy Act. But, the court ruled that the Privacy Act only allows recovery for pecuniary damages. The district court found that because Cooper did not allege any pecuniary damages, he could not state a claim for relief under the Privacy Act. The district court also held that the "sovereign immunity cannon" requires a court to construe the Privacy Act damages provision in favor of the Government when the statutory language is ambiguous.

The Court of Appeals for the Ninth Circuit reversed the district court's decision and held that mental and emotional damages constitute "actual damages" under the Privacy Act. The Ninth Circuit also held that the sovereign immunity cannon was inapplicable in this case, because Congress' intent to allow recovery for mental and emotional damages was "unambiguous." The FAA, DOT, and SSA filed a petition for Writ of Certiorari with the Supreme Court, asking the Court to reverse the Ninth Circuit opinion. The Supreme Court granted the petition on June 20, 2011.

EPIC's Amicus Curiae Brief in Support of Respondent Cooper

EPIC filed a "Friend of the Court" Brief in this case, arguing that Congress intended the Privacy Act to provide robust and comprehensive protections for individual privacy. EPIC argued that these comprehensive protections are only effective if the Privacy Act is enforced. Congress frequently provides civil remedies for individuals adversely effected by violations of Federal Law, especially in the privacy context, in order to ensure enforcement of its statutory frameworks. Furthermore, EPIC argued, privacy laws routinely provide compensation for mental and emotional damages because those harms are typical in privacy cases, similar harms were recognized at common law in invasion of privacy and defamation cases. As EPIC's brief outlines, other federal privacy laws provide similar remedies and privacy law experts agree that mental and emotional damages are likely to result from privacy violations. Given Congress' intent to provide robust privacy protections in the Privacy Act, and the typicality of mental and emotional harms in the privacy context, it is not reasonable to find that Congress intended "actual damages" to be limited to pecuniary harm. EPIC argued that the Supreme Court should uphold the Ninth Circuit decision and find that the Privacy Act unambiguously provides recovery for mental and emotional harm.

The Supreme Court's Decision in Cooper

On March 28, 2012, the Supreme Court reversed the Ninth Circuit’s decision, holding that mental and emotional distress did not constitute "actual damages" as required to recover civil remedies from the government for a Privacy Act violation. Fed. Aviation Admin. v. Cooper, 131 S. Ct. 1441 (2012). Writing for the majority, Justice Alito wrote that the text of the Privacy Act did not "unequivocally" authorize damages for mental or emotional distress. Cooper, 131 S. Ct. at 1448. Applying the "sovereign immunity cannon" of statutory construction, the Court held that the ambiguity as to the meaning of "actual damages" must be construed in favor of the government to include only pecuniary (economic) damages. Id.

Although the Court acknowledged that the term "actual damages" has been used in other statutes to include both pecuniary and nonpecuniary damages, it held that a more narrow reading of the term was "plausible" and that its meaning must be considered "in the particular context in which it appears." Id. at 1453. The Court drew a parallel to the common law actions of libel per quod and slander, which allow recovery of "general damages" only if "special damages" — limited to pecuniary loss — are proven. Id. at 1451. The Court also found that it was reasonable to infer that Congress, when it removed the term "general damages" from the Act, meant to foreclose recovery for nonpecuniary harm. Id. at 1445.

Finally, the Court cast aside Cooper and EPIC’s argument that limiting recovery to economic loss would frustrate the purpose of the Privacy Act since violations of privacy often result in emotional and mental injury. Id. at 1455. The Court simply held that this effect had no bearing on Congress' intent to limit liability to pecuniary harm. Id.

A dissent written by Justice Sotomayor condemned the majority’s decision as eliminating the ability to recover the "primary, and often only, damage sustained as a result of an invasion of privacy, namely mental or emotional distress." Id. at 1456 (S. Sotomayor, dissenting). The decision "cripples the Act's core purpose of redressing and deterring violations of privacy interests." Id. The dissent pointed out that the majority ignored traditional tools of statutory interpretation in relying on the sovereign immunity cannon and thus incorrectly "import[ed] immunity back into a statute designed to limit it." Id. The dissent concluded that reading "actual damages" to permit recovery for any injury established by "competent evidence in the record—pecuniary or not—best effectuates the statute’s basic purpose." Id. at 1462.

EPIC's Interest in Cooper v. Federal Aviation Adminstration

EPIC has a longstanding interest in the effective enforcement of privacy laws in the United States, including the Privacy Act of 1974. EPIC has filed several amicus briefs in numerous Supreme Court and Courts of Appeals cases concerning privacy statutes and issues. EPIC also maintains a Privacy Act webpage.

In Doe v. Chao, 540 U.S. 614 (2004), EPIC filed an amicus brief concerning the Privacy Act of 1974. EPIC's amicus brief argued that the award of actual damages in compensation for Social Security Number (SSN) disclosure under the Privacy Act should be triggered not by a showing of specific monetary damages, but by a showing of adverse effect to the individual, defined as risk of SSN misuse. EPIC established that numerous studies demonstrate the risk
of harm that results from the wrongful disclosure of the SSN, as well as the practical problems that may arise in trying to quantify privacy harms. EPIC then laid out the legal justification for awarding statutory damages to subjects of data breaches under the Privacy Act, highlighting the legislative history of the Act and the work of prominent privacy scholars. The Supreme Court held that under the Privacy Act, an individual must prove he has suffered damages before he can receive a $1,000 minimum statutory award when the government wrongfully discloses his Social Security Number. The Court refrained from deciding if damages are limited to actual monetary harms, which is the legal question now before the Court.

In Smith v. Doe, 538 U.S. 84 (2003), EPIC filed an amicus brief concerning an Alaska law permitting inclusion of names, addresses, descriptions, and other private information in a sex offender registry to be broadcast over the Internet. EPIC argued that where the government compiles private information about an individual, the individual has a valid expectation that the information will not be disseminated indiscriminately. Further, EPIC argued that the government has a duty to impose safeguards and limitations upon its dissemination of such information. The Supreme Court upheld the Alaska law.

In Reno v. Condon, 528 U.S. 141 (2000), EPIC's amicus brief argued that the 1994 Drivers Privacy Protection Act was a constitutional exercise of Congressional authority and did not violate the Tenth Amendment. In that case, the Supreme Court considered whether the Drivers Privacy Protection Act, which prohibits the disclosure of personally identifiable information and motor vehicle records by public agencies and private persons, was an unconstitutional breach of federalism principles. EPIC argued that individuals have a reasonable expectation of privacy in their DMV records and a constitutional interest in limiting the collection and use of personal information obtained by state agencies. The Court held that the Act appropriately restricts states from disclosing a driver’s personal information without the driver’s consent.

EPIC also has a longstanding interest in protecting the privacy of health information. This right to privacy is particularly important as the uses of medical information have multiplied, with entities not subject to the medical ethics codes, like the government, collecting medical information. EPIC has filed several amicus briefs concerning the protection of health information privacy.

In Sorrell v. IMS Health, 630 F.3d 263 (2nd Cir. 2010), a case that was later considered by the Supreme Court, EPIC filed an amicus brief in support of a challenged Vermont law that regulates data mining companies that sell or use doctors' prescribing records containing personal information on patients. EPIC argued that the privacy interest in safeguarding medical records is substantial and that the de-identification techniques adopted by data mining firms do not protect patient privacy. The Second Circuit struck down the Vermont law as violating the First Amendment. Writing in dissent and siding with EPIC, Judge Debra Ann Livingston said that the majority reached the "wrong result," creating "precedent likely to have pernicious broader effects" on medical privacy case law. The Supreme Court affirmed the Second Circuit decision.

In IMS Health v. Ayotte, 550 F.3d 42 (1st Cir. 2008), EPIC filed an amicus brief in support of a New Hampshire law that bans the sale of prescriber-identifiable prescription drug data for marketing purposes. EPIC argued that there is a substantial privacy interest in de-identified patient data. The First Circuit upheld the New Hampshire law, and the Supreme Court refused to hear the challenge to the law.